Proceed events are not always reported to the console (in the event viewer) when a web page in a category set to 'Warn' is accessed by a user and they proceed through the warning.
Paged accessed via HTTPS do not display 'Warn' or 'Block' pages to the end user. Web pages accessed via HTTPS and categorized to 'Warn' will automatically 'Proceed'.
First seen in
Sophos Endpoint Security and Control 10.0
There are two possible causes for this issue:
- Accessing a HTTPS webpage via a browser that does not support SNI will send a 'warn' event to the console, but no 'proceed' event.
- Accessing a HTTPS webpage via an IP address (rather than a Domain Name URI) on a browser that supports SNI will send a 'warn' event to the console but not a 'proceed' event.
Sophos' LSP component needs the web browser to support SNI. For example: Internet Explorer on XP does not support SNI. The web page must also be accessed via a DNS address to generate an event.
What To Do
To avoid this problem we recommend you use of a browser that supports SNI and, if possible, access the web page via a DNS name.
We may look into improving this limitation in a future product release.